932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2

Analysis

max time kernel
152s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Size

85KB
MD5

0d9fde1582052315cff7d346d40c47e1
SHA1

c79906d6e8c25c6b22781af6a038e1d59695c790
SHA256

932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2
SHA512

2fc23420a4389efb6e79978ce14da54177e0b01d860989e370a442c399c20788cc71e32e33fd77187a01f31f50932c25ab0dcd063a20abbcce07e29f8f372214
SSDEEP

1536:NHsxFJfgaDjofVKn1pGwTJOlw1UrVxwl:NM1JDSAOwECax2

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 22 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	cute.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe

Modifies visibility of file extensions in Explorer 2 TTPs 11 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cute.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 11 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Tiwi.exe

Disables RegEdit via registry modification 11 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cute.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 11 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 36 IoCs

pid	Process
4764	Tiwi.exe
2232	IExplorer.exe
4952	winlogon.exe
3304	imoet.exe
1588	cute.exe
400	Tiwi.exe
4896	Tiwi.exe
4036	IExplorer.exe
5012	winlogon.exe
3372	imoet.exe
4816	cute.exe
2744	Tiwi.exe
5096	Tiwi.exe
4388	IExplorer.exe
1268	IExplorer.exe
1008	winlogon.exe
3708	winlogon.exe
3312	imoet.exe
3024	imoet.exe
564	cute.exe
4256	cute.exe
2704	Tiwi.exe
5000	IExplorer.exe
4664	Tiwi.exe
4944	Tiwi.exe
2504	IExplorer.exe
4684	IExplorer.exe
1552	winlogon.exe
1984	winlogon.exe
5032	winlogon.exe
4448	imoet.exe
3492	imoet.exe
3020	imoet.exe
3868	cute.exe
4412	cute.exe
912	cute.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4820-132-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4820-135-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/files/0x0006000000022f5c-137.dat	upx
behavioral2/files/0x0006000000022f5c-138.dat	upx
behavioral2/memory/4764-141-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/files/0x0006000000022f60-143.dat	upx
behavioral2/files/0x0006000000022f60-144.dat	upx
behavioral2/files/0x0006000000022f62-148.dat	upx
behavioral2/files/0x0006000000022f62-149.dat	upx
behavioral2/files/0x0006000000022f63-153.dat	upx
behavioral2/files/0x0006000000022f63-154.dat	upx
behavioral2/files/0x0006000000022f64-158.dat	upx
behavioral2/files/0x0006000000022f64-159.dat	upx
behavioral2/files/0x0006000000022f61-166.dat	upx
behavioral2/files/0x0006000000022f5f-165.dat	upx
behavioral2/files/0x0006000000022f5e-164.dat	upx
behavioral2/files/0x0006000000022f5d-163.dat	upx
behavioral2/files/0x0006000000022f65-162.dat	upx
behavioral2/memory/2232-167-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4952-168-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/3304-169-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/1588-173-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/files/0x0006000000022f5c-174.dat	upx
behavioral2/memory/4764-176-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/files/0x0006000000022f5e-179.dat	upx
behavioral2/files/0x0006000000022f61-181.dat	upx
behavioral2/files/0x0006000000022f5f-180.dat	upx
behavioral2/files/0x0006000000022f5d-178.dat	upx
behavioral2/files/0x0006000000022f65-177.dat	upx
behavioral2/memory/2232-183-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/400-185-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/files/0x0006000000022f5f-189.dat	upx
behavioral2/files/0x0006000000022f5e-188.dat	upx
behavioral2/files/0x0006000000022f5d-187.dat	upx
behavioral2/files/0x0006000000022f65-186.dat	upx
behavioral2/files/0x0006000000022f61-190.dat	upx
behavioral2/files/0x0006000000022f5c-194.dat	upx
behavioral2/memory/4896-198-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/files/0x0006000000022f60-200.dat	upx
behavioral2/files/0x0006000000022f62-204.dat	upx
behavioral2/files/0x0006000000022f63-208.dat	upx
behavioral2/files/0x0006000000022f64-212.dat	upx
behavioral2/memory/4036-215-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/5012-216-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/4816-218-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/memory/3372-217-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/files/0x0006000000022f65-222.dat	upx
behavioral2/files/0x0006000000022f5d-224.dat	upx
behavioral2/files/0x0006000000022f5f-226.dat	upx
behavioral2/files/0x0006000000022f5e-225.dat	upx
behavioral2/files/0x0006000000022f61-227.dat	upx
behavioral2/files/0x0006000000022f60-228.dat	upx
behavioral2/files/0x0006000000022f5c-223.dat	upx
behavioral2/files/0x0006000000022f63-221.dat	upx
behavioral2/files/0x0006000000022f64-220.dat	upx
behavioral2/files/0x0006000000022f62-219.dat	upx
behavioral2/files/0x0006000000022f5c-232.dat	upx
behavioral2/files/0x0006000000022f5e-235.dat	upx
behavioral2/files/0x0006000000022f5f-237.dat	upx
behavioral2/files/0x0006000000022f5d-234.dat	upx
behavioral2/memory/4820-238-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral2/files/0x0006000000022f61-239.dat	upx
behavioral2/files/0x0006000000022f65-233.dat	upx
behavioral2/files/0x0006000000022f5e-244.dat	upx

Loads dropped DLL 7 IoCs

pid	Process
400	Tiwi.exe
4896	Tiwi.exe
2744	Tiwi.exe
5096	Tiwi.exe
2704	Tiwi.exe
4664	Tiwi.exe
4944	Tiwi.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	cute.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	Tiwi.exe
File opened (read-only)	\??\E:	Tiwi.exe
File opened (read-only)	\??\J:	cute.exe
File opened (read-only)	\??\G:	Tiwi.exe
File opened (read-only)	\??\L:	imoet.exe
File opened (read-only)	\??\S:	imoet.exe
File opened (read-only)	\??\W:	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
File opened (read-only)	\??\V:	IExplorer.exe
File opened (read-only)	\??\J:	Tiwi.exe
File opened (read-only)	\??\I:	IExplorer.exe
File opened (read-only)	\??\E:	imoet.exe
File opened (read-only)	\??\M:	cute.exe
File opened (read-only)	\??\T:	cute.exe
File opened (read-only)	\??\Z:	cute.exe
File opened (read-only)	\??\I:	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
File opened (read-only)	\??\O:	imoet.exe
File opened (read-only)	\??\O:	winlogon.exe
File opened (read-only)	\??\K:	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
File opened (read-only)	\??\Z:	Tiwi.exe
File opened (read-only)	\??\K:	winlogon.exe
File opened (read-only)	\??\K:	cute.exe
File opened (read-only)	\??\U:	cute.exe
File opened (read-only)	\??\H:	Tiwi.exe
File opened (read-only)	\??\R:	imoet.exe
File opened (read-only)	\??\T:	imoet.exe
File opened (read-only)	\??\B:	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
File opened (read-only)	\??\Y:	Tiwi.exe
File opened (read-only)	\??\K:	IExplorer.exe
File opened (read-only)	\??\U:	IExplorer.exe
File opened (read-only)	\??\F:	cute.exe
File opened (read-only)	\??\J:	IExplorer.exe
File opened (read-only)	\??\J:	imoet.exe
File opened (read-only)	\??\X:	winlogon.exe
File opened (read-only)	\??\E:	cute.exe
File opened (read-only)	\??\W:	cute.exe
File opened (read-only)	\??\O:	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
File opened (read-only)	\??\P:	imoet.exe
File opened (read-only)	\??\Y:	imoet.exe
File opened (read-only)	\??\Z:	winlogon.exe
File opened (read-only)	\??\T:	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
File opened (read-only)	\??\I:	Tiwi.exe
File opened (read-only)	\??\B:	winlogon.exe
File opened (read-only)	\??\L:	winlogon.exe
File opened (read-only)	\??\V:	cute.exe
File opened (read-only)	\??\E:	IExplorer.exe
File opened (read-only)	\??\G:	cute.exe
File opened (read-only)	\??\X:	cute.exe
File opened (read-only)	\??\H:	IExplorer.exe
File opened (read-only)	\??\H:	imoet.exe
File opened (read-only)	\??\N:	cute.exe
File opened (read-only)	\??\P:	cute.exe
File opened (read-only)	\??\Q:	IExplorer.exe
File opened (read-only)	\??\B:	imoet.exe
File opened (read-only)	\??\Q:	imoet.exe
File opened (read-only)	\??\T:	winlogon.exe
File opened (read-only)	\??\Y:	winlogon.exe
File opened (read-only)	\??\L:	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
File opened (read-only)	\??\O:	Tiwi.exe
File opened (read-only)	\??\V:	Tiwi.exe
File opened (read-only)	\??\N:	imoet.exe
File opened (read-only)	\??\O:	cute.exe
File opened (read-only)	\??\W:	winlogon.exe
File opened (read-only)	\??\R:	cute.exe
File opened (read-only)	\??\V:	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe

Modifies WinLogon 2 TTPs 33 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	cute.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
File opened for modification	C:\autorun.inf	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe

Drops file in System32 directory 47 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	winlogon.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	Tiwi.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	imoet.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	cute.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	Tiwi.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\tiwi.scr	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\shell.exe	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	imoet.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe

Drops file in Windows directory 30 IoCs

description	ioc	Process
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	imoet.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	cute.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	Tiwi.exe
File created	C:\Windows\tiwi.exe	Tiwi.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	Tiwi.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	winlogon.exe
File opened for modification	C:\Windows\tiwi.exe	imoet.exe
File created	C:\Windows\tiwi.exe	cute.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
File created	C:\Windows\tiwi.exe	IExplorer.exe
File created	C:\Windows\tiwi.exe	Tiwi.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	IExplorer.exe
File created	C:\Windows\tiwi.exe	IExplorer.exe
File created	C:\Windows\tiwi.exe	winlogon.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe

Modifies Control Panel 64 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Mouse\SwapMouseButtons = "1"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Mouse\	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Mouse\	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Mouse\SwapMouseButtons = "1"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\s2359 = "Tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\s2359 = "Tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\s2359 = "Tiwi"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\s1159 = "Tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Mouse\	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\s2359 = "Tiwi"	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\s1159 = "Tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Mouse\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\s2359 = "Tiwi"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Mouse\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Mouse\	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Mouse\SwapMouseButtons = "1"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Mouse\SwapMouseButtons = "1"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\s1159 = "Tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\s1159 = "Tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Mouse\SwapMouseButtons = "1"	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\s2359 = "Tiwi"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Mouse\SwapMouseButtons = "1"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Mouse\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\s2359 = "Tiwi"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\s1159 = "Tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	cute.exe

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\	Tiwi.exe

Modifies Internet Explorer start page 1 TTPs 11 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	cute.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
4896	Tiwi.exe
3372	imoet.exe
5012	winlogon.exe
4036	IExplorer.exe
4816	cute.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
4764	Tiwi.exe
2232	IExplorer.exe
4952	winlogon.exe
3304	imoet.exe
1588	cute.exe
4896	Tiwi.exe
4036	IExplorer.exe
5012	winlogon.exe
3372	imoet.exe
4816	cute.exe
2744	Tiwi.exe
5096	Tiwi.exe
4388	IExplorer.exe
1268	IExplorer.exe
1008	winlogon.exe
3708	winlogon.exe
3312	imoet.exe
3024	imoet.exe
564	cute.exe
4256	cute.exe
2704	Tiwi.exe
4664	Tiwi.exe
5000	IExplorer.exe
4944	Tiwi.exe
2504	IExplorer.exe
4684	IExplorer.exe
1552	winlogon.exe
1984	winlogon.exe
5032	winlogon.exe
4448	imoet.exe
3492	imoet.exe
3020	imoet.exe
3868	cute.exe
4412	cute.exe
912	cute.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 4764	4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe	80
PID 4820 wrote to memory of 4764	4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe	80
PID 4820 wrote to memory of 4764	4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe	80
PID 4820 wrote to memory of 2232	4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe	81
PID 4820 wrote to memory of 2232	4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe	81
PID 4820 wrote to memory of 2232	4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe	81
PID 4820 wrote to memory of 4952	4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe	82
PID 4820 wrote to memory of 4952	4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe	82
PID 4820 wrote to memory of 4952	4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe	82
PID 4820 wrote to memory of 3304	4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe	83
PID 4820 wrote to memory of 3304	4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe	83
PID 4820 wrote to memory of 3304	4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe	83
PID 4820 wrote to memory of 1588	4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe	84
PID 4820 wrote to memory of 1588	4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe	84
PID 4820 wrote to memory of 1588	4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe	84
PID 4764 wrote to memory of 400	4764	Tiwi.exe	85
PID 4764 wrote to memory of 400	4764	Tiwi.exe	85
PID 4764 wrote to memory of 400	4764	Tiwi.exe	85
PID 4820 wrote to memory of 4896	4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe	86
PID 4820 wrote to memory of 4896	4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe	86
PID 4820 wrote to memory of 4896	4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe	86
PID 4820 wrote to memory of 4036	4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe	87
PID 4820 wrote to memory of 4036	4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe	87
PID 4820 wrote to memory of 4036	4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe	87
PID 4820 wrote to memory of 5012	4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe	88
PID 4820 wrote to memory of 5012	4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe	88
PID 4820 wrote to memory of 5012	4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe	88
PID 4820 wrote to memory of 3372	4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe	89
PID 4820 wrote to memory of 3372	4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe	89
PID 4820 wrote to memory of 3372	4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe	89
PID 4820 wrote to memory of 4816	4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe	90
PID 4820 wrote to memory of 4816	4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe	90
PID 4820 wrote to memory of 4816	4820	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe	90
PID 4896 wrote to memory of 2744	4896	Tiwi.exe	91
PID 4896 wrote to memory of 2744	4896	Tiwi.exe	91
PID 4896 wrote to memory of 2744	4896	Tiwi.exe	91
PID 4036 wrote to memory of 5096	4036	IExplorer.exe	92
PID 4036 wrote to memory of 5096	4036	IExplorer.exe	92
PID 4036 wrote to memory of 5096	4036	IExplorer.exe	92
PID 4896 wrote to memory of 4388	4896	Tiwi.exe	93
PID 4896 wrote to memory of 4388	4896	Tiwi.exe	93
PID 4896 wrote to memory of 4388	4896	Tiwi.exe	93
PID 4036 wrote to memory of 1268	4036	IExplorer.exe	94
PID 4036 wrote to memory of 1268	4036	IExplorer.exe	94
PID 4036 wrote to memory of 1268	4036	IExplorer.exe	94
PID 4896 wrote to memory of 1008	4896	Tiwi.exe	95
PID 4896 wrote to memory of 1008	4896	Tiwi.exe	95
PID 4896 wrote to memory of 1008	4896	Tiwi.exe	95
PID 4036 wrote to memory of 3708	4036	IExplorer.exe	96
PID 4036 wrote to memory of 3708	4036	IExplorer.exe	96
PID 4036 wrote to memory of 3708	4036	IExplorer.exe	96
PID 4896 wrote to memory of 3312	4896	Tiwi.exe	97
PID 4896 wrote to memory of 3312	4896	Tiwi.exe	97
PID 4896 wrote to memory of 3312	4896	Tiwi.exe	97
PID 4036 wrote to memory of 3024	4036	IExplorer.exe	98
PID 4036 wrote to memory of 3024	4036	IExplorer.exe	98
PID 4036 wrote to memory of 3024	4036	IExplorer.exe	98
PID 4896 wrote to memory of 564	4896	Tiwi.exe	99
PID 4896 wrote to memory of 564	4896	Tiwi.exe	99
PID 4896 wrote to memory of 564	4896	Tiwi.exe	99
PID 4036 wrote to memory of 4256	4036	IExplorer.exe	100
PID 4036 wrote to memory of 4256	4036	IExplorer.exe	100
PID 4036 wrote to memory of 4256	4036	IExplorer.exe	100
PID 5012 wrote to memory of 2704	5012	winlogon.exe	101

System policy modification 1 TTPs 22 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cute.exe

C:\Users\Admin\AppData\Local\Temp\932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe
"C:\Users\Admin\AppData\Local\Temp\932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4820
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4764
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:400
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2232
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies WinLogon
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4952
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies WinLogon
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3304
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies WinLogon
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1588
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4896
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2744
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:4388
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1008
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3312
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:564
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4036
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:5096
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1268
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3708
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3024
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4256
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5012
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2704
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:5000
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1552
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4448
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3868
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3372
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4664
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2504
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1984
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3492
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4412
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4816
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4944
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:4684
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5032
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3020
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\cute.exe

Filesize
85KB

MD5
53c2605b67980f767b712521b7b0e354

SHA1
7912e80095a95f57b1acba94d36d875e4ab78a53

SHA256
40ddf9ef77a0c9987c93f0ee0f2a843596e3163ccd3a6aca7c10c2687aabc10c

SHA512
216079a82635d2038b7574de3a16688d80959db8ef9e85347433257f6389e45989bb107dca1b865c0df2c45af0dd08c05fd51194dedbe53f21f86dbeb824ecf8

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\cute.exe

Filesize
85KB

MD5
1e7d8b80863664c4da839e152e7fa359

SHA1
77b7d4bc4c6031cbaffe4640ab3703aacf814361

SHA256
2b022e2664a66ffe488ed0ed5f95410a2daa8c6e3fa57068456b20f5e26addf4

SHA512
d70c038a572e27579dce807f248946bc08d5ceb14edf1e7db2e6268ad70e2fb8cb4df767179d93e12e10be54e422218a7e5c88699de46777fc75a42a781f33a0

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\imoet.exe

Filesize
85KB

MD5
8d2f794a2c699f81ae078c1afea8c13f

SHA1
1d02cf784a83569b72f8efcb556f530b7d66fc58

SHA256
ced18990fd6644808a380bf59d83ab35df63ad7ab1ca3c8a3f5c4d714ae7030b

SHA512
8cbbfb817434abe4786ad095a0eda04261059bfe1c14c3d9cccbd7d097c010001892a2fdf5609daeef6a68459485c14fcb8b7af7a93645b6dea79b3795c235d2

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\imoet.exe

Filesize
85KB

MD5
0753b2f86a96c54022b1f5d77f62a688

SHA1
417965c58111d4d3bd873e3cd12255246f5fa10b

SHA256
1dcb4ce09aa4d47c3287a7d38111ece62ac965a71a4fa8f7e25b3abb18e45101

SHA512
41e676039733029dd5594ebd2229d072f381f72a58838a2f112c41f8c5163f820f2ad62afa4e19243134fccb34fe9a868d8ab56088023898725de21ff77d49ed

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

Filesize
85KB

MD5
debbb72bb0dd2d6cb10747dd52b18444

SHA1
a639427d14a3d84813cd500cdc60a1222857640f

SHA256
2419cff4f282177e569b678df3eb5b67e3b9cd6457a405e3356ea4c288ebc498

SHA512
64ad300f4e0c0da444621b36148f3b744194261b648d13b74f11e121f0189af45dce4b21b5144ee74a8f74bccd12124f8eca1c09845211edd0777d5bc221ee66

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

Filesize
85KB

MD5
5a984ad5987362f89d9fe4238dbeffdc

SHA1
5eaa28399363bc49e7781479ef3917a523843c66

SHA256
ad8eae8356a0bd5c7ab0fd8f5536425220d81e140005aceccc384267b5a5ce24

SHA512
1a36a6b474e93d01406cf512606f84e4cd020bd05bb584be157fe0fc369b9319c07e67ddfc151a857cf6c6997540eddcbe6848ac68e55dbacf1b4f603d320929

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
85KB

MD5
53c2605b67980f767b712521b7b0e354

SHA1
7912e80095a95f57b1acba94d36d875e4ab78a53

SHA256
40ddf9ef77a0c9987c93f0ee0f2a843596e3163ccd3a6aca7c10c2687aabc10c

SHA512
216079a82635d2038b7574de3a16688d80959db8ef9e85347433257f6389e45989bb107dca1b865c0df2c45af0dd08c05fd51194dedbe53f21f86dbeb824ecf8

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
85KB

MD5
1e7d8b80863664c4da839e152e7fa359

SHA1
77b7d4bc4c6031cbaffe4640ab3703aacf814361

SHA256
2b022e2664a66ffe488ed0ed5f95410a2daa8c6e3fa57068456b20f5e26addf4

SHA512
d70c038a572e27579dce807f248946bc08d5ceb14edf1e7db2e6268ad70e2fb8cb4df767179d93e12e10be54e422218a7e5c88699de46777fc75a42a781f33a0

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

Filesize
85KB

MD5
8d2f794a2c699f81ae078c1afea8c13f

SHA1
1d02cf784a83569b72f8efcb556f530b7d66fc58

SHA256
ced18990fd6644808a380bf59d83ab35df63ad7ab1ca3c8a3f5c4d714ae7030b

SHA512
8cbbfb817434abe4786ad095a0eda04261059bfe1c14c3d9cccbd7d097c010001892a2fdf5609daeef6a68459485c14fcb8b7af7a93645b6dea79b3795c235d2

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

Filesize
85KB

MD5
0753b2f86a96c54022b1f5d77f62a688

SHA1
417965c58111d4d3bd873e3cd12255246f5fa10b

SHA256
1dcb4ce09aa4d47c3287a7d38111ece62ac965a71a4fa8f7e25b3abb18e45101

SHA512
41e676039733029dd5594ebd2229d072f381f72a58838a2f112c41f8c5163f820f2ad62afa4e19243134fccb34fe9a868d8ab56088023898725de21ff77d49ed

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
9ca8e1a6eff9b1195bcab97dca4d2b5c

SHA1
7a8ed8a5766f882a40bb4a0ca228fa8d903c95c8

SHA256
6e4f7dd49dbbd2971fe66846a677501f6b21f1f00e2072061a2eef66b6434d79

SHA512
3ce6508329ea87949ab60ec4d991773058dab22cf1bc003d8d3650981de7c8fd89664b4ff3c50d8c95e475ea712f87f2bd7472da6bf7b380e3ce331502550a40

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
721a498694d7b775a349a18212036780

SHA1
0661ff3dae6e9f745160e7c26350b9e8e5aee9ec

SHA256
ff2f9f069282dc902ce1c7b2312a966bc437eb1e0eb5b879d0a32786d80ad8d0

SHA512
6a227a05248acb854c1ff56f61d13b861dc81050c2a78fb2d58e35a3ecf1757e599198f5292f47daba5c70a8896f98318081d68410c1e52c789fa3d81aa9ff8c

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
bb19bddf77e6d242a83937b7df2865f6

SHA1
e9f6b5ea67ced983afab1905f44866ea10c7c44b

SHA256
602d425e1ae50d20f26515e6e23ff2e88456f9f3f72837bbdb54b207cb2723ac

SHA512
96544acf6de0c1b75f8849aea717f33d9ed5395886092a63a411ffba18aeaf891dbcbc929a19a0cb8fc48af3986d5a9ac4b96e78958f041d9161b5d5c4c5f344

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
aeaf074bf9e49ae354197c6a91fb51a4

SHA1
3984c083fa1a651498c2a4ff0671df9e8036da65

SHA256
921793890d905b2a92393c6d94e58998c4a67425f6eabd6ea6a56018a469ed89

SHA512
39984852118ce83c769865fa87ea269237122f1445063f6804d1de51e5a8b33b3797c9cf08125d8c96632ba494fd1512ad2d04d2e90ee54085e4642b588b5266

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

Filesize
85KB

MD5
0d9fde1582052315cff7d346d40c47e1

SHA1
c79906d6e8c25c6b22781af6a038e1d59695c790

SHA256
932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2

SHA512
2fc23420a4389efb6e79978ce14da54177e0b01d860989e370a442c399c20788cc71e32e33fd77187a01f31f50932c25ab0dcd063a20abbcce07e29f8f372214

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

Filesize
85KB

MD5
fc1eed052c2abccd8d5b15f2beedbe8a

SHA1
106b6b69bd0801cca4cec9f18d70fe0a182a425e

SHA256
2a4ae8c86226462a08d7887550ae2b2577e12747e79a4becccfdfbd00ad23855

SHA512
254c103dd4e2446a913ce638964e7a573a7178b883ec44dd98e981d1ed7ca190000d612d4ec9186fb467ef81ed6740f318f7de106a60f6d0ea8b5ac76b186763

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

Filesize
85KB

MD5
fc1eed052c2abccd8d5b15f2beedbe8a

SHA1
106b6b69bd0801cca4cec9f18d70fe0a182a425e

SHA256
2a4ae8c86226462a08d7887550ae2b2577e12747e79a4becccfdfbd00ad23855

SHA512
254c103dd4e2446a913ce638964e7a573a7178b883ec44dd98e981d1ed7ca190000d612d4ec9186fb467ef81ed6740f318f7de106a60f6d0ea8b5ac76b186763

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

Filesize
85KB

MD5
a2ce43989a2a95343293147d8440fe2a

SHA1
f353a56c82dad830fd0796fd458e9f8a1566ecb3

SHA256
bb7c7643bcfbbe59918ec2069f6d86c143617776723fb36268f41c4c18a932de

SHA512
80789f8ac4b0231eff75bb7151cc035873611cb0e5b72e36286a75f52030f9544388ee8f465c8d3009742caf4a4fad4efcf1d4de62aecc8b9c62ff016af029d5

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

Filesize
85KB

MD5
a2ce43989a2a95343293147d8440fe2a

SHA1
f353a56c82dad830fd0796fd458e9f8a1566ecb3

SHA256
bb7c7643bcfbbe59918ec2069f6d86c143617776723fb36268f41c4c18a932de

SHA512
80789f8ac4b0231eff75bb7151cc035873611cb0e5b72e36286a75f52030f9544388ee8f465c8d3009742caf4a4fad4efcf1d4de62aecc8b9c62ff016af029d5

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

Filesize
85KB

MD5
d1214640257fc250b55d6d948f2ab021

SHA1
ee19854a7eee7ae92a4cdc5ebd1c1299e9fdeaa7

SHA256
8c92362d6cd3b61aaee37f1cde13ba16cafb98d3a42f562faa09a49dbba04f68

SHA512
5773b990d53b5c1ffecb7a20a83b0ef87b2b7312c2694afbaabbc67107a74db37e8e72a28156a8bb705b26d2df49c03287f8a0292f2d70ce281d6032c276c9b1

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

Filesize
85KB

MD5
debbb72bb0dd2d6cb10747dd52b18444

SHA1
a639427d14a3d84813cd500cdc60a1222857640f

SHA256
2419cff4f282177e569b678df3eb5b67e3b9cd6457a405e3356ea4c288ebc498

SHA512
64ad300f4e0c0da444621b36148f3b744194261b648d13b74f11e121f0189af45dce4b21b5144ee74a8f74bccd12124f8eca1c09845211edd0777d5bc221ee66

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

Filesize
85KB

MD5
5a984ad5987362f89d9fe4238dbeffdc

SHA1
5eaa28399363bc49e7781479ef3917a523843c66

SHA256
ad8eae8356a0bd5c7ab0fd8f5536425220d81e140005aceccc384267b5a5ce24

SHA512
1a36a6b474e93d01406cf512606f84e4cd020bd05bb584be157fe0fc369b9319c07e67ddfc151a857cf6c6997540eddcbe6848ac68e55dbacf1b4f603d320929

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
85KB

MD5
d25a29c5c992699c5e76047e41efc40c

SHA1
6745006a843d603ada098f13fcca3119f14931c2

SHA256
a6104e25389ff52ebcdaf06056a03492bfcf9d9b215ee2c6eb604e180165271c

SHA512
55a7c9b433af0bd6c7198b3d0740a718948fcd29159716c317901507804a035544b5e2ef8055bc048537b7e42e35bddc3bcf6fdf2cca715a383fc6a1f8b8bffe

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
85KB

MD5
fc1eed052c2abccd8d5b15f2beedbe8a

SHA1
106b6b69bd0801cca4cec9f18d70fe0a182a425e

SHA256
2a4ae8c86226462a08d7887550ae2b2577e12747e79a4becccfdfbd00ad23855

SHA512
254c103dd4e2446a913ce638964e7a573a7178b883ec44dd98e981d1ed7ca190000d612d4ec9186fb467ef81ed6740f318f7de106a60f6d0ea8b5ac76b186763

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
85KB

MD5
0d9fde1582052315cff7d346d40c47e1

SHA1
c79906d6e8c25c6b22781af6a038e1d59695c790

SHA256
932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2

SHA512
2fc23420a4389efb6e79978ce14da54177e0b01d860989e370a442c399c20788cc71e32e33fd77187a01f31f50932c25ab0dcd063a20abbcce07e29f8f372214

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
85KB

MD5
58d4ed863de1e39faa19abaf9fcbf1b6

SHA1
72bbb6ccc6e4654599036cc2e1d734ebbf1f0f53

SHA256
66dc3a175a02fa38c867ab0562f9073bb8b024e011814600c8433b9368460a70

SHA512
cb0b00ba834e27fc3563cea395c7de1d3d84e54ae30a5d1086333188251514a4058950685fd1ebdd7d8de29f31f095884d43e7204984110e1aee2434ab35da9b

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
85KB

MD5
d1214640257fc250b55d6d948f2ab021

SHA1
ee19854a7eee7ae92a4cdc5ebd1c1299e9fdeaa7

SHA256
8c92362d6cd3b61aaee37f1cde13ba16cafb98d3a42f562faa09a49dbba04f68

SHA512
5773b990d53b5c1ffecb7a20a83b0ef87b2b7312c2694afbaabbc67107a74db37e8e72a28156a8bb705b26d2df49c03287f8a0292f2d70ce281d6032c276c9b1

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
85KB

MD5
5a984ad5987362f89d9fe4238dbeffdc

SHA1
5eaa28399363bc49e7781479ef3917a523843c66

SHA256
ad8eae8356a0bd5c7ab0fd8f5536425220d81e140005aceccc384267b5a5ce24

SHA512
1a36a6b474e93d01406cf512606f84e4cd020bd05bb584be157fe0fc369b9319c07e67ddfc151a857cf6c6997540eddcbe6848ac68e55dbacf1b4f603d320929

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
85KB

MD5
fc1eed052c2abccd8d5b15f2beedbe8a

SHA1
106b6b69bd0801cca4cec9f18d70fe0a182a425e

SHA256
2a4ae8c86226462a08d7887550ae2b2577e12747e79a4becccfdfbd00ad23855

SHA512
254c103dd4e2446a913ce638964e7a573a7178b883ec44dd98e981d1ed7ca190000d612d4ec9186fb467ef81ed6740f318f7de106a60f6d0ea8b5ac76b186763

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
85KB

MD5
fc1eed052c2abccd8d5b15f2beedbe8a

SHA1
106b6b69bd0801cca4cec9f18d70fe0a182a425e

SHA256
2a4ae8c86226462a08d7887550ae2b2577e12747e79a4becccfdfbd00ad23855

SHA512
254c103dd4e2446a913ce638964e7a573a7178b883ec44dd98e981d1ed7ca190000d612d4ec9186fb467ef81ed6740f318f7de106a60f6d0ea8b5ac76b186763

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
85KB

MD5
d1214640257fc250b55d6d948f2ab021

SHA1
ee19854a7eee7ae92a4cdc5ebd1c1299e9fdeaa7

SHA256
8c92362d6cd3b61aaee37f1cde13ba16cafb98d3a42f562faa09a49dbba04f68

SHA512
5773b990d53b5c1ffecb7a20a83b0ef87b2b7312c2694afbaabbc67107a74db37e8e72a28156a8bb705b26d2df49c03287f8a0292f2d70ce281d6032c276c9b1

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
85KB

MD5
d1214640257fc250b55d6d948f2ab021

SHA1
ee19854a7eee7ae92a4cdc5ebd1c1299e9fdeaa7

SHA256
8c92362d6cd3b61aaee37f1cde13ba16cafb98d3a42f562faa09a49dbba04f68

SHA512
5773b990d53b5c1ffecb7a20a83b0ef87b2b7312c2694afbaabbc67107a74db37e8e72a28156a8bb705b26d2df49c03287f8a0292f2d70ce281d6032c276c9b1

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
85KB

MD5
d25a29c5c992699c5e76047e41efc40c

SHA1
6745006a843d603ada098f13fcca3119f14931c2

SHA256
a6104e25389ff52ebcdaf06056a03492bfcf9d9b215ee2c6eb604e180165271c

SHA512
55a7c9b433af0bd6c7198b3d0740a718948fcd29159716c317901507804a035544b5e2ef8055bc048537b7e42e35bddc3bcf6fdf2cca715a383fc6a1f8b8bffe

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
85KB

MD5
fc1eed052c2abccd8d5b15f2beedbe8a

SHA1
106b6b69bd0801cca4cec9f18d70fe0a182a425e

SHA256
2a4ae8c86226462a08d7887550ae2b2577e12747e79a4becccfdfbd00ad23855

SHA512
254c103dd4e2446a913ce638964e7a573a7178b883ec44dd98e981d1ed7ca190000d612d4ec9186fb467ef81ed6740f318f7de106a60f6d0ea8b5ac76b186763

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
85KB

MD5
0d9fde1582052315cff7d346d40c47e1

SHA1
c79906d6e8c25c6b22781af6a038e1d59695c790

SHA256
932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2

SHA512
2fc23420a4389efb6e79978ce14da54177e0b01d860989e370a442c399c20788cc71e32e33fd77187a01f31f50932c25ab0dcd063a20abbcce07e29f8f372214

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
85KB

MD5
a2ce43989a2a95343293147d8440fe2a

SHA1
f353a56c82dad830fd0796fd458e9f8a1566ecb3

SHA256
bb7c7643bcfbbe59918ec2069f6d86c143617776723fb36268f41c4c18a932de

SHA512
80789f8ac4b0231eff75bb7151cc035873611cb0e5b72e36286a75f52030f9544388ee8f465c8d3009742caf4a4fad4efcf1d4de62aecc8b9c62ff016af029d5

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
85KB

MD5
d1214640257fc250b55d6d948f2ab021

SHA1
ee19854a7eee7ae92a4cdc5ebd1c1299e9fdeaa7

SHA256
8c92362d6cd3b61aaee37f1cde13ba16cafb98d3a42f562faa09a49dbba04f68

SHA512
5773b990d53b5c1ffecb7a20a83b0ef87b2b7312c2694afbaabbc67107a74db37e8e72a28156a8bb705b26d2df49c03287f8a0292f2d70ce281d6032c276c9b1

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
85KB

MD5
5a984ad5987362f89d9fe4238dbeffdc

SHA1
5eaa28399363bc49e7781479ef3917a523843c66

SHA256
ad8eae8356a0bd5c7ab0fd8f5536425220d81e140005aceccc384267b5a5ce24

SHA512
1a36a6b474e93d01406cf512606f84e4cd020bd05bb584be157fe0fc369b9319c07e67ddfc151a857cf6c6997540eddcbe6848ac68e55dbacf1b4f603d320929

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
85KB

MD5
d25a29c5c992699c5e76047e41efc40c

SHA1
6745006a843d603ada098f13fcca3119f14931c2

SHA256
a6104e25389ff52ebcdaf06056a03492bfcf9d9b215ee2c6eb604e180165271c

SHA512
55a7c9b433af0bd6c7198b3d0740a718948fcd29159716c317901507804a035544b5e2ef8055bc048537b7e42e35bddc3bcf6fdf2cca715a383fc6a1f8b8bffe

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
85KB

MD5
fc1eed052c2abccd8d5b15f2beedbe8a

SHA1
106b6b69bd0801cca4cec9f18d70fe0a182a425e

SHA256
2a4ae8c86226462a08d7887550ae2b2577e12747e79a4becccfdfbd00ad23855

SHA512
254c103dd4e2446a913ce638964e7a573a7178b883ec44dd98e981d1ed7ca190000d612d4ec9186fb467ef81ed6740f318f7de106a60f6d0ea8b5ac76b186763

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
85KB

MD5
0d9fde1582052315cff7d346d40c47e1

SHA1
c79906d6e8c25c6b22781af6a038e1d59695c790

SHA256
932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2

SHA512
2fc23420a4389efb6e79978ce14da54177e0b01d860989e370a442c399c20788cc71e32e33fd77187a01f31f50932c25ab0dcd063a20abbcce07e29f8f372214

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
85KB

MD5
a2ce43989a2a95343293147d8440fe2a

SHA1
f353a56c82dad830fd0796fd458e9f8a1566ecb3

SHA256
bb7c7643bcfbbe59918ec2069f6d86c143617776723fb36268f41c4c18a932de

SHA512
80789f8ac4b0231eff75bb7151cc035873611cb0e5b72e36286a75f52030f9544388ee8f465c8d3009742caf4a4fad4efcf1d4de62aecc8b9c62ff016af029d5

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
85KB

MD5
d1214640257fc250b55d6d948f2ab021

SHA1
ee19854a7eee7ae92a4cdc5ebd1c1299e9fdeaa7

SHA256
8c92362d6cd3b61aaee37f1cde13ba16cafb98d3a42f562faa09a49dbba04f68

SHA512
5773b990d53b5c1ffecb7a20a83b0ef87b2b7312c2694afbaabbc67107a74db37e8e72a28156a8bb705b26d2df49c03287f8a0292f2d70ce281d6032c276c9b1

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
85KB

MD5
5a984ad5987362f89d9fe4238dbeffdc

SHA1
5eaa28399363bc49e7781479ef3917a523843c66

SHA256
ad8eae8356a0bd5c7ab0fd8f5536425220d81e140005aceccc384267b5a5ce24

SHA512
1a36a6b474e93d01406cf512606f84e4cd020bd05bb584be157fe0fc369b9319c07e67ddfc151a857cf6c6997540eddcbe6848ac68e55dbacf1b4f603d320929

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
85KB

MD5
5a984ad5987362f89d9fe4238dbeffdc

SHA1
5eaa28399363bc49e7781479ef3917a523843c66

SHA256
ad8eae8356a0bd5c7ab0fd8f5536425220d81e140005aceccc384267b5a5ce24

SHA512
1a36a6b474e93d01406cf512606f84e4cd020bd05bb584be157fe0fc369b9319c07e67ddfc151a857cf6c6997540eddcbe6848ac68e55dbacf1b4f603d320929

Download Submit
C:\Windows\Tiwi.exe

Filesize
85KB

MD5
d25a29c5c992699c5e76047e41efc40c

SHA1
6745006a843d603ada098f13fcca3119f14931c2

SHA256
a6104e25389ff52ebcdaf06056a03492bfcf9d9b215ee2c6eb604e180165271c

SHA512
55a7c9b433af0bd6c7198b3d0740a718948fcd29159716c317901507804a035544b5e2ef8055bc048537b7e42e35bddc3bcf6fdf2cca715a383fc6a1f8b8bffe

Download Submit
C:\Windows\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\tiwi.exe

Filesize
85KB

MD5
d25a29c5c992699c5e76047e41efc40c

SHA1
6745006a843d603ada098f13fcca3119f14931c2

SHA256
a6104e25389ff52ebcdaf06056a03492bfcf9d9b215ee2c6eb604e180165271c

SHA512
55a7c9b433af0bd6c7198b3d0740a718948fcd29159716c317901507804a035544b5e2ef8055bc048537b7e42e35bddc3bcf6fdf2cca715a383fc6a1f8b8bffe

Download Submit
C:\Windows\tiwi.exe

Filesize
85KB

MD5
d25a29c5c992699c5e76047e41efc40c

SHA1
6745006a843d603ada098f13fcca3119f14931c2

SHA256
a6104e25389ff52ebcdaf06056a03492bfcf9d9b215ee2c6eb604e180165271c

SHA512
55a7c9b433af0bd6c7198b3d0740a718948fcd29159716c317901507804a035544b5e2ef8055bc048537b7e42e35bddc3bcf6fdf2cca715a383fc6a1f8b8bffe

Download Submit
C:\Windows\tiwi.exe

Filesize
85KB

MD5
a2ce43989a2a95343293147d8440fe2a

SHA1
f353a56c82dad830fd0796fd458e9f8a1566ecb3

SHA256
bb7c7643bcfbbe59918ec2069f6d86c143617776723fb36268f41c4c18a932de

SHA512
80789f8ac4b0231eff75bb7151cc035873611cb0e5b72e36286a75f52030f9544388ee8f465c8d3009742caf4a4fad4efcf1d4de62aecc8b9c62ff016af029d5

Download Submit
C:\Windows\tiwi.exe

Filesize
85KB

MD5
a2ce43989a2a95343293147d8440fe2a

SHA1
f353a56c82dad830fd0796fd458e9f8a1566ecb3

SHA256
bb7c7643bcfbbe59918ec2069f6d86c143617776723fb36268f41c4c18a932de

SHA512
80789f8ac4b0231eff75bb7151cc035873611cb0e5b72e36286a75f52030f9544388ee8f465c8d3009742caf4a4fad4efcf1d4de62aecc8b9c62ff016af029d5

Download Submit
C:\Windows\tiwi.exe

Filesize
85KB

MD5
a2ce43989a2a95343293147d8440fe2a

SHA1
f353a56c82dad830fd0796fd458e9f8a1566ecb3

SHA256
bb7c7643bcfbbe59918ec2069f6d86c143617776723fb36268f41c4c18a932de

SHA512
80789f8ac4b0231eff75bb7151cc035873611cb0e5b72e36286a75f52030f9544388ee8f465c8d3009742caf4a4fad4efcf1d4de62aecc8b9c62ff016af029d5

Download Submit
C:\present.txt

Filesize
729B

MD5
8e3c734e8dd87d639fb51500d42694b5

SHA1
f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

SHA256
574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

SHA512
06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

Download Submit
C:\present.txt

Filesize
729B

MD5
8e3c734e8dd87d639fb51500d42694b5

SHA1
f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

SHA256
574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

SHA512
06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

Download Submit
C:\present.txt

Filesize
729B

MD5
8e3c734e8dd87d639fb51500d42694b5

SHA1
f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

SHA256
574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

SHA512
06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

Download Submit
C:\tiwi.exe

Filesize
85KB

MD5
d25a29c5c992699c5e76047e41efc40c

SHA1
6745006a843d603ada098f13fcca3119f14931c2

SHA256
a6104e25389ff52ebcdaf06056a03492bfcf9d9b215ee2c6eb604e180165271c

SHA512
55a7c9b433af0bd6c7198b3d0740a718948fcd29159716c317901507804a035544b5e2ef8055bc048537b7e42e35bddc3bcf6fdf2cca715a383fc6a1f8b8bffe

Download Submit
C:\tiwi.exe

Filesize
85KB

MD5
fc1eed052c2abccd8d5b15f2beedbe8a

SHA1
106b6b69bd0801cca4cec9f18d70fe0a182a425e

SHA256
2a4ae8c86226462a08d7887550ae2b2577e12747e79a4becccfdfbd00ad23855

SHA512
254c103dd4e2446a913ce638964e7a573a7178b883ec44dd98e981d1ed7ca190000d612d4ec9186fb467ef81ed6740f318f7de106a60f6d0ea8b5ac76b186763

Download Submit
C:\tiwi.exe

Filesize
85KB

MD5
0d9fde1582052315cff7d346d40c47e1

SHA1
c79906d6e8c25c6b22781af6a038e1d59695c790

SHA256
932d2daed83de552a3fa0aeb838b214ab9fd8f7e94ff72bbd4f98b5c3aa3c2d2

SHA512
2fc23420a4389efb6e79978ce14da54177e0b01d860989e370a442c399c20788cc71e32e33fd77187a01f31f50932c25ab0dcd063a20abbcce07e29f8f372214

Download Submit
C:\tiwi.exe

Filesize
85KB

MD5
a2ce43989a2a95343293147d8440fe2a

SHA1
f353a56c82dad830fd0796fd458e9f8a1566ecb3

SHA256
bb7c7643bcfbbe59918ec2069f6d86c143617776723fb36268f41c4c18a932de

SHA512
80789f8ac4b0231eff75bb7151cc035873611cb0e5b72e36286a75f52030f9544388ee8f465c8d3009742caf4a4fad4efcf1d4de62aecc8b9c62ff016af029d5

Download Submit
C:\tiwi.exe

Filesize
85KB

MD5
d1214640257fc250b55d6d948f2ab021

SHA1
ee19854a7eee7ae92a4cdc5ebd1c1299e9fdeaa7

SHA256
8c92362d6cd3b61aaee37f1cde13ba16cafb98d3a42f562faa09a49dbba04f68

SHA512
5773b990d53b5c1ffecb7a20a83b0ef87b2b7312c2694afbaabbc67107a74db37e8e72a28156a8bb705b26d2df49c03287f8a0292f2d70ce281d6032c276c9b1

Download Submit
C:\tiwi.exe

Filesize
85KB

MD5
5a984ad5987362f89d9fe4238dbeffdc

SHA1
5eaa28399363bc49e7781479ef3917a523843c66

SHA256
ad8eae8356a0bd5c7ab0fd8f5536425220d81e140005aceccc384267b5a5ce24

SHA512
1a36a6b474e93d01406cf512606f84e4cd020bd05bb584be157fe0fc369b9319c07e67ddfc151a857cf6c6997540eddcbe6848ac68e55dbacf1b4f603d320929

Download Submit
memory/400-172-0x0000000000000000-mapping.dmp

Download
memory/400-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/564-278-0x0000000000000000-mapping.dmp

Download
memory/564-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/912-341-0x0000000000000000-mapping.dmp

Download
memory/912-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1008-261-0x0000000000000000-mapping.dmp

Download
memory/1008-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1268-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1268-256-0x0000000000000000-mapping.dmp

Download
memory/1552-307-0x0000000000000000-mapping.dmp

Download
memory/1552-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-157-0x0000000000000000-mapping.dmp

Download
memory/1588-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-311-0x0000000000000000-mapping.dmp

Download
memory/1984-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-142-0x0000000000000000-mapping.dmp

Download
memory/2232-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-298-0x0000000000000000-mapping.dmp

Download
memory/2504-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-286-0x0000000000000000-mapping.dmp

Download
memory/2744-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-231-0x0000000000000000-mapping.dmp

Download
memory/3020-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-328-0x0000000000000000-mapping.dmp

Download
memory/3020-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-271-0x0000000000000000-mapping.dmp

Download
memory/3304-152-0x0000000000000000-mapping.dmp

Download
memory/3304-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3312-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3312-270-0x0000000000000000-mapping.dmp

Download
memory/3372-207-0x0000000000000000-mapping.dmp

Download
memory/3372-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3372-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-323-0x0000000000000000-mapping.dmp

Download
memory/3708-265-0x0000000000000000-mapping.dmp

Download
memory/3708-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3868-330-0x0000000000000000-mapping.dmp

Download
memory/3868-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4036-199-0x0000000000000000-mapping.dmp

Download
memory/4036-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-279-0x0000000000000000-mapping.dmp

Download
memory/4256-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-250-0x0000000000000000-mapping.dmp

Download
memory/4388-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-335-0x0000000000000000-mapping.dmp

Download
memory/4448-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-320-0x0000000000000000-mapping.dmp

Download
memory/4664-289-0x0000000000000000-mapping.dmp

Download
memory/4684-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-302-0x0000000000000000-mapping.dmp

Download
memory/4764-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4764-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4764-136-0x0000000000000000-mapping.dmp

Download
memory/4816-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-211-0x0000000000000000-mapping.dmp

Download
memory/4816-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-193-0x0000000000000000-mapping.dmp

Download
memory/4896-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-295-0x0000000000000000-mapping.dmp

Download
memory/4944-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-147-0x0000000000000000-mapping.dmp

Download
memory/5000-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-290-0x0000000000000000-mapping.dmp

Download
memory/5012-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-203-0x0000000000000000-mapping.dmp

Download
memory/5032-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-316-0x0000000000000000-mapping.dmp

Download
memory/5096-249-0x0000000000000000-mapping.dmp

Download
memory/5096-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download